Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-12-2024 13:07
Static task
static1
Behavioral task
behavioral1
Sample
ORDER-6070Y689_0PF57682456_DECVC789378909740.js
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ORDER-6070Y689_0PF57682456_DECVC789378909740.js
Resource
win10v2004-20241007-en
General
-
Target
ORDER-6070Y689_0PF57682456_DECVC789378909740.js
-
Size
7KB
-
MD5
e961e6c85529967631d08dc53a13f0ae
-
SHA1
53d75f1fd3dd3f5738b395d6e66147f8e934bc7b
-
SHA256
1f0ef4fc5add951652abf5703c97934a6072ba87ba209f0ba1407ed466f6bb98
-
SHA512
f5ef8f0aa639238c6dde4d1e80cb6d80ab0ec8904eb4f2cfef332ae9b2e033bb2ee4cb1fc8012a7473dadd707e5847e6977d66c239e0efa3d95bd0cf8f787c4a
-
SSDEEP
48:7PB7fqihtV7wGF7OE3qMdlwURxp7gltFYpHwmAhHmY6mn7U7f:7PB7fqihtNwm7OE3ZfJ7gltFYBZYh7yf
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
ralt kojp vxay jkla
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 2 IoCs
resource yara_rule behavioral1/files/0x0006000000018742-19.dat family_snakekeylogger behavioral1/memory/2532-23-0x0000000000260000-0x0000000000286000-memory.dmp family_snakekeylogger -
Snakekeylogger family
-
Blocklisted process makes network request 23 IoCs
flow pid Process 4 2384 wscript.exe 9 1724 wscript.exe 13 1724 wscript.exe 14 1724 wscript.exe 15 1724 wscript.exe 17 1724 wscript.exe 18 1724 wscript.exe 19 1724 wscript.exe 21 1724 wscript.exe 22 1724 wscript.exe 23 1724 wscript.exe 25 1724 wscript.exe 26 1724 wscript.exe 27 1724 wscript.exe 29 1724 wscript.exe 30 1724 wscript.exe 31 1724 wscript.exe 33 1724 wscript.exe 34 1724 wscript.exe 35 1724 wscript.exe 37 1724 wscript.exe 38 1724 wscript.exe 39 1724 wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GxO.vbs WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GxO.vbs wscript.exe -
Executes dropped EXE 1 IoCs
pid Process 2532 ZqrN.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ZqrN.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ZqrN.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ZqrN.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\GxO = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\GxO.vbs\"" WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GxO = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\GxO.vbs\"" WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\GxO = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\GxO.vbs\"" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GxO = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\GxO.vbs\"" wscript.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 checkip.dyndns.org 8 ip-api.com -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZqrN.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2532 ZqrN.exe 2532 ZqrN.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2532 ZqrN.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2384 wrote to memory of 2120 2384 wscript.exe 32 PID 2384 wrote to memory of 2120 2384 wscript.exe 32 PID 2384 wrote to memory of 2120 2384 wscript.exe 32 PID 2120 wrote to memory of 2744 2120 WScript.exe 33 PID 2120 wrote to memory of 2744 2120 WScript.exe 33 PID 2120 wrote to memory of 2744 2120 WScript.exe 33 PID 2120 wrote to memory of 2852 2120 WScript.exe 34 PID 2120 wrote to memory of 2852 2120 WScript.exe 34 PID 2120 wrote to memory of 2852 2120 WScript.exe 34 PID 2744 wrote to memory of 2644 2744 WScript.exe 35 PID 2744 wrote to memory of 2644 2744 WScript.exe 35 PID 2744 wrote to memory of 2644 2744 WScript.exe 35 PID 2852 wrote to memory of 2532 2852 WScript.exe 36 PID 2852 wrote to memory of 2532 2852 WScript.exe 36 PID 2852 wrote to memory of 2532 2852 WScript.exe 36 PID 2852 wrote to memory of 2532 2852 WScript.exe 36 PID 2644 wrote to memory of 1724 2644 WScript.exe 37 PID 2644 wrote to memory of 1724 2644 WScript.exe 37 PID 2644 wrote to memory of 1724 2644 WScript.exe 37 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ZqrN.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ZqrN.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER-6070Y689_0PF57682456_DECVC789378909740.js1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\OPXCFY.js"2⤵
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WindowsAudio.js"3⤵
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\GxO.vbs"4⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\GxO.vbs"5⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1724
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adobe.js"3⤵
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Users\Admin\AppData\Local\Temp\ZqrN.exe"C:\Users\Admin\AppData\Local\Temp\ZqrN.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2532
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7CNUR30T\json[1].json
Filesize291B
MD5c085beeb6f771b90fed94c1d940f97f6
SHA144a994d9175d6abaa9a3b5718e242fa659aed66a
SHA256ff5681f440a7a4b019a4a59f43ad414393321d1eb6dc3874cea0a84e73a83c51
SHA5129d000581b287cd3d5464c33c260008090369a4f5f380b7cfa72eb0fc3221ce0e07df0387f6d3d6b38253c215250ac873dec0f52c501e3d6312f0a5437723a76a
-
Filesize
861KB
MD52c38711037f77a66c571beca37212473
SHA1dfcc23612a0b01f3be4e9dfe1158c0d878fafcf8
SHA256cdb87f940c4a74c8c4f6e49881418b852cab544dd0c62f6201cb7e0f6825aada
SHA5127e7b985e1d51b6cba3bf0e656d5dc1b358727d3c50334e5c4d0aac6f0a84b8ec29c4896a6a0d805d3eb8549600e636adb08491aa309f55ef61cc5e2dbbbcfda3
-
Filesize
1.8MB
MD55cbd790c1378134731dc246a81c93407
SHA15830dbee39be0a297112f0c370ec0fe262e3481a
SHA25620db27c44f4d385c66f6753ce3afc9d9c7a89802f817f896c341c66636c2cd47
SHA512b18cb8f6c4464d288ffcb601cdc4fb8b8a5da0c5702cc1ba27deafeb43dc7b7d998a0e9773fb93564fe93d6c55a24e4c66d96464a32c717e4e5d1bcf738349c8
-
Filesize
1.1MB
MD598580a656c68b3f635dc03194073f889
SHA108fc5771841b25dbdbb1ba2e6c519add747e4413
SHA2560b2d1630032ee6b65cc35650f78a34487b8d784c6fb882340e44051f2b3b50ae
SHA5120bc77b7e00030dd3adb8ae4769eeeff067b25595f0450de0827b2fcf8330713331f3922956aa5f8c3ef3ced7365db45a15ba3e8b625af13f40085cc1f090e89d
-
Filesize
129KB
MD5ad1d0676362d866735f0d532f8e3d581
SHA1a16badc35300527d38e9d3ff6af1c1e1265c5b39
SHA25609251632adbf8aae4c9246ddc36375f66d41f0030c6adcc664dcf2773053735c
SHA512e8685ed84b76ab0d0698b0dadc8af4d7a6481ab08656e22885c68a2172983e33feb462e21336911bab3600373381baca594cba48be5e07b7712e3e9b6e99d8c8
-
Filesize
194KB
MD58ca638b30fea8a14b3de0e271a4fc225
SHA17c33f879a39b852f3e8b7d05ee3d240259696b5e
SHA25658fd32619eed98484f0f071c1d18a81490ffccaf5be21836cbdbf5083e68662f
SHA512548e6f7f62056217a2124524d08af30dab8f77368d44d175bf20c66d5babcacf97dfcf3d44cc3b60255d29d3d76ccc20413db9238f466265cda2347bde1a237f